65 static void DetectDnsQueryRegisterTests(
void);
67 static int g_dns_query_buffer_id = 0;
84 if (!first && buffer->
inspect != NULL)
89 if (rs_dns_tx_get_query_name(cbdata->
txv, cbdata->
local_id, &data, &data_len) == 0) {
97 static int DetectEngineInspectDnsQuery(
101 Flow *f, uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id)
103 uint32_t local_id = 0;
113 transforms, f, &cbdata, engine->
sm_list,
false);
114 if (buffer == NULL || buffer->
inspect == NULL)
152 const uint64_t idx,
const uint8_t
flags)
158 const int list_id = ctx->
list_id;
160 uint32_t local_id = 0;
166 f, &cbdata, list_id,
true);
180 static void PrefilterMpmDnsQueryFree(
void *ptr)
197 mpm_reg->
app_v2.alproto, mpm_reg->
app_v2.tx_min_progress,
198 pectx, PrefilterMpmDnsQueryFree, mpm_reg->
pname);
204 uint8_t
flags,
void *alstate,
void *
txv, uint64_t tx_id)
212 uint8_t
flags,
void *alstate,
void *
txv, uint64_t tx_id)
236 PrefilterMpmDnsQueryRegister, NULL,
241 DetectEngineInspectDnsQuery, NULL);
244 "dns request query");
253 DetectEngineInspectDnsResponse, NULL);
287 static int DetectDnsQueryTest01(
void)
290 uint8_t buf[] = { 0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
291 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
292 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
293 0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
294 0x00, 0x10, 0x00, 0x01, };
296 void *dns_state = NULL;
304 memset(&f, 0,
sizeof(
Flow));
307 "192.168.1.5",
"192.168.1.1",
312 f.
proto = IPPROTO_UDP;
326 "(msg:\"Test dns_query option\"; "
327 "dns_query; content:\"google\"; nocase; sid:1;)");
335 STREAM_TOSERVER, buf,
sizeof(buf));
337 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
350 printf(
"sig 1 didn't alert, but it should have: ");
369 static int DetectDnsQueryTest02(
void)
372 uint8_t buf1[] = { 0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
373 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
374 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
375 0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
376 0x00, 0x01, 0x00, 0x01, };
378 uint8_t buf2[] = { 0x10, 0x32,
382 0x00, 0x00, 0x00, 0x00,
384 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
385 0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
386 0x00, 0x01, 0x00, 0x01,
389 0x00, 0x01, 0x00, 0x01,
390 0x00, 0x01, 0x40, 0xef,
392 0x01, 0x02, 0x03, 0x04 };
395 uint8_t buf3[] = { 0x11, 0x33, 0x01, 0x00, 0x00, 0x01,
396 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
397 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
398 0x65, 0x03, 0x6E, 0x65, 0x74, 0x00,
399 0x00, 0x10, 0x00, 0x01, };
401 void *dns_state = NULL;
402 Packet *p1 = NULL, *p2 = NULL, *p3 = NULL;
409 memset(&f, 0,
sizeof(
Flow));
412 "192.168.1.5",
"192.168.1.1",
415 "192.168.1.5",
"192.168.1.1",
418 "192.168.1.5",
"192.168.1.1",
423 f.
proto = IPPROTO_UDP;
448 "(msg:\"Test dns_query option\"; "
449 "dns_query; content:\"google.com\"; nocase; sid:1;)");
452 "(msg:\"Test dns_query option\"; "
453 "dns_query; content:\"google.net\"; nocase; sid:2;)");
461 STREAM_TOSERVER, buf1,
sizeof(buf1));
463 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
476 printf(
"(p1) sig 1 didn't alert, but it should have: ");
480 printf(
"(p1) sig 2 did alert, but it should not have: ");
488 printf(
"toserver client 1 returned %" PRId32
", expected 0: ", r);
498 printf(
"(p2) sig 1 alerted, but it should not have: ");
502 printf(
"(p2) sig 2 alerted, but it should not have: ");
510 printf(
"toserver chunk 3 returned %" PRId32
", expected 0: ", r);
520 printf(
"(p3) sig 1 alerted, but it should not have: ");
524 printf(
"(p3) sig 2 didn't alert, but it should have: ");
545 static int DetectDnsQueryTest03(
void)
548 uint8_t buf[] = { 0x00, 28,
549 0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
550 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
551 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
552 0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
553 0x00, 0x10, 0x00, 0x01, };
555 void *dns_state = NULL;
564 memset(&f, 0,
sizeof(
Flow));
568 "192.168.1.5",
"192.168.1.1",
574 f.
proto = IPPROTO_TCP;
590 "(msg:\"Test dns_query option\"; "
591 "dns_query; content:\"google\"; nocase; sid:1;)");
599 STREAM_TOSERVER, buf,
sizeof(buf));
601 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
614 printf(
"sig 1 didn't alert, but it should have: ");
635 static int DetectDnsQueryTest04(
void)
638 uint8_t buf[] = { 0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
639 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
640 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
641 0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
642 0x00, 0x10, 0x00, 0x01, };
644 void *dns_state = NULL;
652 memset(&f, 0,
sizeof(
Flow));
655 "192.168.1.5",
"192.168.1.1",
660 f.
proto = IPPROTO_UDP;
674 "(msg:\"Test dns_query option\"; "
675 "dns_query; content:\"google\"; nocase; "
676 "pcre:\"/google\\.com$/i\"; sid:1;)");
679 "(msg:\"Test dns_query option\"; "
680 "dns_query; content:\"google\"; nocase; "
681 "pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)");
689 STREAM_TOSERVER, buf,
sizeof(buf));
691 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
704 printf(
"sig 1 didn't alert, but it should have: ");
708 printf(
"sig 2 didn't alert, but it should have: ");
728 static int DetectDnsQueryTest05(
void)
731 uint8_t buf1[] = { 0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
732 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
733 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
734 0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
735 0x00, 0x01, 0x00, 0x01, };
737 uint8_t buf2[] = { 0x10, 0x32,
741 0x00, 0x00, 0x00, 0x00,
743 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
744 0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
745 0x00, 0x01, 0x00, 0x01,
748 0x00, 0x01, 0x00, 0x01,
749 0x00, 0x01, 0x40, 0xef,
751 0x01, 0x02, 0x03, 0x04 };
754 uint8_t buf3[] = { 0x11, 0x33, 0x01, 0x00, 0x00, 0x01,
755 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
756 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
757 0x65, 0x03, 0x6E, 0x65, 0x74, 0x00,
758 0x00, 0x10, 0x00, 0x01, };
760 void *dns_state = NULL;
761 Packet *p1 = NULL, *p2 = NULL, *p3 = NULL;
768 memset(&f, 0,
sizeof(
Flow));
771 "192.168.1.5",
"192.168.1.1",
774 "192.168.1.5",
"192.168.1.1",
777 "192.168.1.5",
"192.168.1.1",
782 f.
proto = IPPROTO_UDP;
807 "(msg:\"Test dns_query option\"; "
808 "dns_query; content:\"google.com\"; nocase; sid:1;)");
811 "(msg:\"Test dns_query option\"; "
812 "dns_query; content:\"google.net\"; nocase; sid:2;)");
815 "(msg:\"Test Z flag event\"; "
816 "app-layer-event:dns.z_flag_set; sid:3;)");
824 STREAM_TOSERVER, buf1,
sizeof(buf1));
826 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
839 printf(
"(p1) sig 1 didn't alert, but it should have: ");
843 printf(
"(p1) sig 2 did alert, but it should not have: ");
851 printf(
"toserver client 1 returned %" PRId32
", expected 0\n", r);
861 printf(
"(p2) sig 1 alerted, but it should not have: ");
865 printf(
"(p2) sig 2 alerted, but it should not have: ");
869 printf(
"(p2) sig 3 didn't alert, but it should have: ");
877 printf(
"toserver chunk 3 returned %" PRId32
", expected 0: ", r);
887 printf(
"(p3) sig 1 alerted, but it should not have: ");
891 printf(
"(p3) sig 2 didn't alert, but it should have: ");
917 static int DetectDnsQueryIsdataatParseTest(
void)
924 "alert dns any any -> any any ("
925 "dns_query; content:\"one\"; "
926 "isdataat:!4,relative; sid:1;)");
942 static void DetectDnsQueryRegisterTests(
void)
946 UtRegisterTest(
"DetectDnsQueryTest03 -- tcp", DetectDnsQueryTest03);
947 UtRegisterTest(
"DetectDnsQueryTest04 -- pcre", DetectDnsQueryTest04);
949 DetectDnsQueryTest05);
952 DetectDnsQueryIsdataatParseTest);